Monday, April 6, 2009

Oracle Weblogic IIS remote buffer overflow



I think this new Weblogic exploit found on milw0rm is particularly nasty as Weblogic is a java web-app framework used as the backend for some very large enterprises. Both for internal and external facing web applications, many which house millions of financial records and transactions. These types of exploits scare me in that they have the potential to lead to a huge financial data compromise...

Also brings to mind some interesting attack vectors for finding targets, my girlfriend works in sales for an IT services/recruiting firm just last week she was asking me what a Weblogic administrator was and how she was trying to find some consultants to fill a new project. I immediately thought of this new vulnerability and that an attacker, instead of traditional banner scanning for Weblogic they can simply pull up Monster.com and find the next fortune 1000 company to 0wn.

http://jobsearch.monster.com/Search.aspx?brd=1&q=weblogic

Scary stuff... anyways, pop in this signature I wrote this morning for Emerging Threats into your IDS/IPS and let me know if they are knocking on your door yet...

**** Updated sig to match vulnerability not exploit code...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:5132,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:4;)

5 comments:

srujan said...

In the rule you developed (SID 300999) why hex value?
|35 44 38 45 51 4b 5a 4c 4b 50 4a 45 48 4c|

Is these values overflow stack pointer?

Greg Martin said...

I originally wrote it for a public exploit content matching on shellcode, I just updated it to match on the vulnerability

srujan said...

Why exact 5132 bytes? Actually in the exploit provided (milw0rm 8336) he is overwriting all pointer locations!! As per my understanding pointer locations changes based on the OS we used.. So the length may change?

srujan said...

sorry.. It's not depends on OS but depends on processors..

Greg Martin said...

To overflow the JSESSIONID in his perl script he inserts B x 5132 into the URI before inserting the shellcode

print $sock "POST /index.jsp?;JSESSIONID=" .
"B" x 5132 .
$shellcode .